Bug 58823 (CVE-2004-0792) - VUL-0: CVE-2004-0792: rsync path-sanitizing bug (security)
Summary: VUL-0: CVE-2004-0792: rsync path-sanitizing bug (security)
Status: RESOLVED FIXED
Alias: CVE-2004-0792
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Critical
Target Milestone: ---
Assignee: Thomas Biege
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-0792: CVSS v2 Base Score: 6....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-15 04:56 UTC by Mads Martin Joergensen
Modified: 2021-10-02 09:48 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mads Martin Joergensen 2004-08-15 04:56:36 UTC 
http://samba.org/rsync/#security_aug04

"There is a path-sanitizing bug that affects daemon mode in all recent rsync
versions (including 2.6.2) but only if chroot is disabled. It does NOT affect
the normal send/receive filenames that specify what files should be transferred
(this is because these names happen to get sanitized twice, and thus the second
call removes any lingering leading slash(es) that the first call left behind).
It does affect certain option paths that cause auxilliary files to be read or
written."

There's a source-code patch which I've applied to 8.1, 8.2, 9.0 and 9.1 and
submitted for checkin. Patchinfo's are still missing.
Comment 1 Ruediger Oertel 2004-08-16 06:23:07 UTC 
patchinfos are written 
who of sec-team is handling this? please take over this bug ...
Comment 2 Marcus Meissner 2004-08-16 14:10:24 UTC 
Thomas, can you handle this? 
 
we need to get this out today if possible.
Comment 3 Thomas Biege 2004-08-16 20:53:49 UTC 
packages approved.. advisory follows in a few minutes.....
Comment 4 Marcus Meissner 2007-11-30 10:29:46 UTC 
CVE-2004-0792
Comment 5 Thomas Biege 2009-10-13 20:31:46 UTC 
CVE-2004-0792: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)